diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 1e24a9778c2d2..3c62445832a0b 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -661,6 +661,21 @@ jobs: run: | ./scripts/ci/lib.sh registry_rw_login "quay.io/${QUAY_ORG}" + - name: Build operator helm chart + if: matrix.arch == 'amd64' + run: make -C operator/ chart + + - name: Bundle chart to preserve permissions + if: matrix.arch == 'amd64' + run: tar -cvzf "$(pwd)/operator-chart-${{ matrix.name }}.tgz" -C operator/dist/chart . + + - uses: ./.github/actions/upload-artifact-with-retry + if: matrix.arch == 'amd64' + with: + name: operator-chart-${{ matrix.name }} + path: operator-chart-${{ matrix.name }}.tgz + if-no-files-found: error + - name: Build Operator Bundle image if: | matrix.name != 'STACKROX_BRANDING' diff --git a/.github/workflows/release-ci.yaml b/.github/workflows/release-ci.yaml index f28143aa12eaf..b97210c1842c5 100644 --- a/.github/workflows/release-ci.yaml +++ b/.github/workflows/release-ci.yaml @@ -96,6 +96,12 @@ jobs: - uses: ./.github/actions/download-artifact-with-retry with: name: cli-build + - uses: ./.github/actions/download-artifact-with-retry + with: + name: operator-chart-RHACS_BRANDING + - uses: ./.github/actions/download-artifact-with-retry + with: + name: operator-chart-STACKROX_BRANDING - name: Publish Helm charts to stackrox/release-artifacts env: STACKROX_TAG: ${{ github.ref_name }} @@ -109,7 +115,7 @@ jobs: mkdir -p "${HOME}/.local/bin" mv bin/linux_amd64/roxctl "${HOME}/.local/bin/roxctl" scripts/ci/lib.sh \ - push_helm_charts "${STACKROX_TAG}" + push_helm_charts "${STACKROX_TAG}" "$(pwd)/operator-chart-RHACS_BRANDING.tgz" "$(pwd)/operator-chart-STACKROX_BRANDING.tgz" # Publish `roxagent` and `roxctl`. publish-cli: diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b2e6d25fccd1..7a18d987fd5ec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ Changes should still be described appropriately in JIRA/doc input pages, for inc roxctl's "central crs generate" supports specifying a maximum number of cluster registrations using the new parameter "--max-clusters". - ROX-24311: Detection and enforcement for pods/attach Kubernetes event. +- ROX-33099: New Operator Helm Chart is now the only recommended way to install on non-OpenShift clusters. - ROX-33098 (Tech Preview): Effective path and Actual Path have been combined into a single File Path policy criterion. - ROX-33156 (Tech Preview): A new default policy category called "File Activity Monitoring" is now available. diff --git a/operator/Makefile b/operator/Makefile index 41fd03d136a46..f4ddaefad8346 100644 --- a/operator/Makefile +++ b/operator/Makefile @@ -323,7 +323,9 @@ build-installer: manifests generate kustomize ## Generate a consolidated YAML wi chart: kubebuilder manifests ## Generate a helm chart with all necessary resources. # The dependency above makes sure protos are up to date, so we can skip this time-consuming process below # by specifying the SKIP env var. Otherwise each target that kubebuilder invokes (and there is a bunch) would regen protos. + if [ "$(ROX_IMAGE_FLAVOR)" = opensource ]; then sed -i'.bak' -e 's,^projectName: rhacs-operator,projectName: stackrox-operator,' PROJECT; fi ROX_OPERATOR_SKIP_PROTO_GENERATED_SRCS=true $(KUBEBUILDER) edit --plugins=helm/v2-alpha --force + if [ "$(ROX_IMAGE_FLAVOR)" = opensource ]; then mv PROJECT.bak PROJECT; fi sed -i'.bak' -e 's,0.1.0,$(VERSION),g' dist/chart/Chart.yaml rm -f dist/chart/Chart.yaml.bak diff --git a/operator/PROJECT b/operator/PROJECT index 0d297bd10cc76..ec8ed40dc8330 100644 --- a/operator/PROJECT +++ b/operator/PROJECT @@ -11,7 +11,7 @@ plugins: output: dist manifests.sdk.operatorframework.io/v2: {} scorecard.sdk.operatorframework.io/v2: {} -projectName: rhacs-operator +projectName: stackrox-operator repo: github.com/stackrox/rox resources: - api: diff --git a/scripts/ci/lib.sh b/scripts/ci/lib.sh index 3708bb4b9352c..f57ff3e60cbe6 100755 --- a/scripts/ci/lib.sh +++ b/scripts/ci/lib.sh @@ -1111,11 +1111,13 @@ publish_openapispec() { } push_helm_charts() { - if [[ "$#" -ne 1 ]]; then - die "missing arg. usage: push_helm_charts " + if [[ "$#" -ne 3 ]]; then + die "missing arg. usage: push_helm_charts " fi local tag="$1" + local operator_rhacs_chart_tarball="$2" + local operator_stackrox_chart_tarball="$3" echo "Publish Helm charts to github repository stackrox/release-artifacts and create a PR" >> "${GITHUB_STEP_SUMMARY}" @@ -1123,11 +1125,16 @@ push_helm_charts() { local secured_cluster_services_chart_dir central_services_chart_dir="$(mktemp -d)" secured_cluster_services_chart_dir="$(mktemp -d)" + operator_chart_dir="$(mktemp -d)" roxctl helm output central-services --image-defaults=rhacs --output-dir "${central_services_chart_dir}/rhacs" roxctl helm output central-services --image-defaults=opensource --output-dir "${central_services_chart_dir}/opensource" roxctl helm output secured-cluster-services --image-defaults=rhacs --output-dir "${secured_cluster_services_chart_dir}/rhacs" roxctl helm output secured-cluster-services --image-defaults=opensource --output-dir "${secured_cluster_services_chart_dir}/opensource" - "${SCRIPTS_ROOT}/scripts/ci/publish-helm-charts.sh" "${tag}" "${central_services_chart_dir}" "${secured_cluster_services_chart_dir}" + mkdir "${operator_chart_dir}/rhacs" + tar -zxf "${operator_rhacs_chart_tarball}" -C "${operator_chart_dir}/rhacs" + mkdir "${operator_chart_dir}/opensource" + tar -zxf "${operator_stackrox_chart_tarball}" -C "${operator_chart_dir}/opensource" + "${SCRIPTS_ROOT}/scripts/ci/publish-helm-charts.sh" "${tag}" "${central_services_chart_dir}" "${secured_cluster_services_chart_dir}" "${operator_chart_dir}" } gitbot() { diff --git a/scripts/ci/publish-helm-charts.sh b/scripts/ci/publish-helm-charts.sh index 17300684e3562..f12baf290564b 100755 --- a/scripts/ci/publish-helm-charts.sh +++ b/scripts/ci/publish-helm-charts.sh @@ -11,17 +11,20 @@ set -euo pipefail remote_repository="https://github.com/stackrox/release-artifacts.git" remote_subdirectory="helm-charts" -version="$1" -central_services_chart="$2" -secured_cluster_services_chart="$3" +version="${1:-}" +central_services_chart="${2:-}" +secured_cluster_services_chart="${3:-}" +operator_chart_dir="${4:-}" [[ -n "$version" ]] || die "No version specified" [[ -n "$central_services_chart" ]] || die "No central services chart path specified!" [[ -n "$secured_cluster_services_chart" ]] || die "No secured cluster services chart path specified!" +[[ -n "$operator_chart_dir" ]] || die "No operator chart path specified!" echo "Publishing charts for version $version" echo " Central Services Chart location: ${central_services_chart}" echo " Secured Cluster Services Chart location: ${secured_cluster_services_chart}" +echo " Operator Chart location: ${operator_chart_dir}" if is_release_test_stream "$version"; then # send to #acs-slack-integration-testing when testing the release process @@ -45,11 +48,13 @@ mkdir "${tmp_remote_repository}/${remote_subdirectory}/${version}" cp -a "${central_services_chart}/opensource" "${tmp_remote_repository}/${remote_subdirectory}/${version}/central-services" cp -a "${secured_cluster_services_chart}/opensource" "${tmp_remote_repository}/${remote_subdirectory}/${version}/secured-cluster-services" +cp -a "${operator_chart_dir}/opensource" "${tmp_remote_repository}/${remote_subdirectory}/${version}/operator" mkdir "${tmp_remote_repository}/${remote_subdirectory}/rhacs/${version}" cp -a "${central_services_chart}/rhacs" "${tmp_remote_repository}/${remote_subdirectory}/rhacs/${version}/central-services" cp -a "${secured_cluster_services_chart}/rhacs" "${tmp_remote_repository}/${remote_subdirectory}/rhacs/${version}/secured-cluster-services" +cp -a "${operator_chart_dir}/rhacs" "${tmp_remote_repository}/${remote_subdirectory}/rhacs/${version}/operator" mkdir -p "${tmp_remote_repository}/${remote_subdirectory}/opensource" @@ -57,6 +62,8 @@ echo "Packaging Helm chart for file ${central_services_chart}/opensource/Chart.y helm package -d "${tmp_remote_repository}/${remote_subdirectory}/opensource" "${central_services_chart}/opensource" echo "Packaging Helm chart for file ${secured_cluster_services_chart}/opensource/Chart.yaml" helm package -d "${tmp_remote_repository}/${remote_subdirectory}/opensource" "${secured_cluster_services_chart}/opensource" +echo "Packaging Helm chart for file ${operator_chart_dir}/opensource/Chart.yaml" +helm package -d "${tmp_remote_repository}/${remote_subdirectory}/opensource" "${operator_chart_dir}/opensource" echo "Building OSS helm repo index" helm repo index "${tmp_remote_repository}/${remote_subdirectory}/opensource"